Go to main content

man pages section 1M: System Administration Commands

Exit Print View

Updated: July 2017
 
 

sxadm (1M)

Name

sxadm - manage Solaris security extensions configuration

Synopsis

sxadm enable [-c property=value[,property=value,...]]
      extension[,extension,...]

sxadm delcust [extension,...]

sxadm disable extension[,extension,...]

sxadm get [-p] [-o "all" | field[,...]] <"all" | property[,...]>
     [extension]

sxadm help [subcommand]

sxadm set property=value[,property=value,...] extension

sxadm status [-p] [extension]
sxadm exec [-s extension=value],... command

Description

The sxadm command configures and provides information regarding Solaris security extensions. These extensions can be applied at the system level, or at the process level.

Security extensions for a process are determined by exec(2), and become effective for a process from that point forward. Extensions persist for the lifetime of the process until the process exits or calls exec(2) again. System level extensions can affect all processes. Process level extensions affect individual processes, and are inherited by any child processes, providing the child process is not privileged. See SECURITY EXTENSIONS.

Individual executables can be tagged with security extension requirements when built with ld(1). This tagging ensures the associated process requirements are met regardless of any system level extensions. Executables with tagged security extensions can be overridden with process level extensions. See EXECUTABLE TAGGED EXTENSIONS.

SECURITY EXTENSIONS

The following security extensions are available. These extensions reduce the chances of attackers finding known entry points, or planting exploitation code in locations that can later be executed.

ASLR- Address Space Layout Randomization

ASLR activates the randomization of the location of key areas of the process, such as the stack, brk-based heap, and memory segment mappings. The memory mappings of an application that is built as a position-independent executable are also randomized under ASLR.

NXHEAP- Non-Executable Heap

NXHEAP prevents pages allocated for the process heap from being executable.

NXSTACK- Non-Executable Stack

NXSTACK prevents pages allocated for the process stack from being executable. Backward compatibility with legacy /etc/system noexec_user_stack and noexec_user_stack_log settings is maintained, although such controls are deprecated and sxadm should be used instead.

By default, the global zone and all non-global zones have the ASLR and NXHEAP extensions enabled only for tagged binaries, while the NXSTACK extension is enabled for all processes.

SECURITY EXTENSION PROPERTIES

A security extension can have one or more properties. All extensions have a model property. This property defines what the extension is applied to. Following are the model properties that exist.

model=all

Enable the security extension for all processes.

model=tagged-files

Enable the security extension for tagged binaries.

model=default

Follow the security extension system default. See SECURITY EXTENSIONS.

Security extensions may have additional properties.

NXHEAP and NXSTACK provide a logging property, which, when enabled, reports attempts to execute from non-executable memory ranges (stack for NXSTACK, heap and data for NXHEAP).

log=enable

Enable logging.

log=disable

Disable logging. (Default configuration)

MANAGING SECURITY EXTENSIONS

Security extensions can be modified system wide using the sxadm subcommands enable, disable, set, and delcust. For example, the following sxadm commands enable extensions system wide:

% sxadm enable nxstack
% sxadm enable aslr,nxheap

The following sxadm command also enables extensions system wide but by specifically identifying each property:

% sxadm enable -c model=all aslr
% sxadm enable -c model=all -c log=enable nxstack

Security extensions can also be enabled or disabled for a process using the sxadm subcommand exec. This subcommand only affects the status of the security extension. Any other properties of the extension are inherited from the system properties. The following sxadm command ensures the foobar process executes with disabled extensions:

% sxadm exec -s aslr=disable -s nxheap=disable foobar

EXECUTABLE TAGGED EXTENSIONS

Individual executables can be tagged with security extension requirements when built with the following ld(1) options:

–z alsr[=mode]

Control ASLR tagging.

–z nxheap[=mode]

Control non-executable heap tagging.

–z nxstack[=mode]

Control non-executable stack tagging.

The mode can be enabled or disabled. If the mode is not supplied, then enabled is the default.

The security extension defined within a tagged executable interacts with any system wide security settings in the following manner.

  • An executable with an enabled, or disabled security setting is honored without consulting the system security setting. Process level security settings override tagged executable settings.

  • Only executables that have a tagged security setting are honored when the system security setting is tagged-files.

Sub Commands

The sxadm command has the following subcommands:

sxadm enable [–c property=value[,property=value,...]] extension[,extension,...]

Enable the specified extension for the current zone. The –c option allows sxadm to pass property values for the specific extension.

sxadm delcust [extension,...]

Restore the extension to the default configuration. This option effectively deletes any customizations.

sxadm disable extension[,extension,...]

Disable the specified extension for the current zone.

sxadm help [subcommand]

Display usage information about sxadm or more detailed information for each subcommand.

sxadm status [–p] [extension]

Report information on the status of all security extensions for the current zone. If –p is specified, the output is displayed in an easily parseable format. Specifying an extension on the command line filters for the specific extension. Machine parseable output is a list of colon-separated fields:

extension:status (model):configuration (model)

where:

extension

The name of the extension

status

The current status for the extension (enabled or disabled)

model

The current model enabled for the security extension (all, default, tagged-binaries)

configuration

The stored configuration for the extension (enabled, disabled, or sys- tem default)

The characters colon (:), null sign (\0), and newline (\n) are not permitted for any of the components, extension_name, status, extra, and configuration.

sxadm get [–p] [–o "all" | field[,...]] <"all" | property[,...]> [extension]

Display the value of security extensions properties. If extension is specified, display the value of the property only for the specified extension. Specify "all" to display properties associated to all sections. For each property, the following columns are displayed:

extension: the extension the property refers to
name: the name of the property
value: the value of the property

All columns are displayed by default; specify particular or all columns, using the –o option. If –p is specified, the output is displayed in an easily parseable format. Such format is a list of colon-separated fields:

extension:property:value

The characters colon (:), null sign (\0), and newline (\n) are not permitted for any of the components.

sxadm set property=value[,property=value,...] extension

Assign value to the property of the specified extension.

sxadm exec –s [extension=value]... command

Execute the specified command with a specific configuration for security extensions. For each security extension not explicitly configured on the command line, the system configuration is used. Child processes eventually spawned by command inherit the same security extension configuration that is specified on the command line. setuids and privileged binaries do not inherit any configuration. Multiple configurations can be expressed from the command line using multiple –s options. If the same extension is configured more than once, the last occurrence takes precedence. In the following example, foobar is executed with ASLR enabled:

% sxadm exec -s aslr=disable -s aslr=enable foobar

The sxadm exec subcommand is designed to accommodate the common case in which a debugger is applied to a single process started directly by the debugger. It may not be sufficient for more complex scenarios. In such cases, it may be necessary to use sxadm to change the system or zone level security extension defaults, or to apply per-object tagging using the ld(1) utility, in order to facilitate debugging.

This feature is primarily of interest when extensions based on a randomized secret are active (for example, ASLR), since changing memory addresses can complicate some debugging scenarios. This feature is also useful for explicitly testing applications with different security extension configurations.

Examples

Example 1 Displaying the current Security Extensions Configuration
$ sxadm status -p
       aslr:enabled (tagged-files):system default (default)
       nxstack:enabled (all):system default (default)
       nxheap:enabled (tagged-files):system default (default)
       $

       $ sxadm status
       EXTENSION        STATUS                   CONFIGURATION            
       aslr             enabled (tagged-files)   system default (default)
       nxstack          enabled (all)            system default (default)
       nxheap           enabled (tagged-files)   system default (default)
       $
Example 2 Use set/get to set/retrieve Security Extensions Properties
$ sxadm get model aslr
       EXTENSION       PROPERTY          VALUE
       aslr            model            tagged-files
       $

       $ sxadm set log=enable nxheap
       $ sxadm get log nxheap
       EXTENSION       PROPERTY         VALUE
       nxheap          log              enable
       $
Example 3 Running a Debugging Session

The following command sequence illustrates a debugging session being conducted with ASLR disabled.

$ sxadm exec -s aslr=disable /bin/bash
       $
       # Because all processes (except privileged ones) inherit the(disabled)
       # ASLR configuration mdb, truss & co will have repeatable results.

       $ truss -t mmap /bin/true
       mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
       = 0xFE5B0000
       mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
       = 0xFE5A0000
       mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
       = 0xFE590000
       [...]
       $ truss -t mmap /bin/true
       mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
       = 0xFE5B0000
       mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
       = 0xFE5A0000
       mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
       = 0xFE590000
       [...]
       $ truss -t mmap /bin/true
       mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
       = 0xFE5B0000
       mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
       = 0xFE5A0000
       mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
       = 0xFE590000

Exit Status

0

The command completed successfully.

1

The command exited due to an error.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/core-os
Interface Stability
Committed

See Also

ld(1), exec(2), attributes(5)